How to identify vulnerabilities in common software products

Large numbers of binary planting vulnerabilities (also known as “dll spoofing” or “dll preloading attacks”) have been discovered in third party applications running on Microsoft Windows platforms. Software companies are aware of this exploit and are working on a fix for such vulnerabilities in their products.

In an advisory Microsoft has spoken about the seriousness of this threat. Scenarios like this, where an attacker might take complete control of an affected system by exploiting this vulnerability, are realistic.

Unsafe coding styles in legitimate applications (running on Microsoft Windows platforms) can be a reason why such exploits can get very dangerous in corporate environments. The issue with binary planting attacks is taken very seriously.

How does the attack work?

An attacker may use his social engineering skills to convince the victim to open a “common” legitimate file e.g. a simple image file. The image file may be located on a remote network location such as “http://”.

In our test scenario the victim is logged as a domain administrator on a Microsoft Windows Server machine. The victim decides to open this image file with an image viewer that is installed on his machine. The image viewer is vulnerable by the binary planting attack.

The image viewer application may require a dynamic-link library to load dynamically. As the fully qualified path name has not been specified, Microsoft Windows will be instructed by the image viewer to search for this dynamic-link library in a set of directories in a particular order.

These directories are:

1. The directory from which the application loaded

2. The system directory

3. The 16-bit system directory

4. The Windows directory

5. The current directory

6. The directories that are listed in the PATH environment variable.

One of the directories is the current directory where the image file has been stored.

If the attacker has full access to one of the directories which Microsoft Windows searches for, then the attacker may be able to place a malicious copy of the dll in that directory.

In such a case the application will load and execute the malicious dll without verification. Such action may allow the attacker to gain full control of the affected machine. If so, then he may be able to perform unwanted actions on the machine such as create a new user account, access sensible files on specific directories and more.

Web security and firewall products may become an essential instrument to block and possibly prevent the downloading of such malicious code from a remote network location.

The interesting point is that nowadays attackers try to hide harmful attacks by performing legitimate actions which emphasizes once more the importance of web and IT security in a corporate environment.

Large numbers of binary planting vulnerabilities (also known as “dll spoofing” or “dll preloading attacks”) have been discovered in third party applications running on Microsoft Windows platforms. Software companies are aware of this exploit and are working on a fix for such vulnerabilities in their products.

In an advisory Microsoft has spoken about the seriousness of this threat. Scenarios like this, where an attacker might take complete control of an affected system by exploiting this vulnerability, are realistic.

Unsafe coding styles in legitimate applications (running on Microsoft Windows platforms) can be a reason why such exploits can get very dangerous in corporate environments. The issue with binary planting attacks is taken very seriously.

How does the attack work?

An attacker may use his social engineering skills to convince the victim to open a “common” legitimate file e.g. a simple image file. The image file may be located on a remote network location such as “http://”.

In our test scenario the victim is logged as a domain administrator on a Microsoft Windows Server machine. The victim decides to open this image file with an image viewer that is installed on his machine. The image viewer is vulnerable by the binary planting attack.

The image viewer application may require a dynamic-link library to load dynamically. As the fully qualified path name has not been specified, Microsoft Windows will be instructed by the image viewer to search for this dynamic-link library in a set of directories in a particular order.

These directories are:

The directory from which the application loaded

The system directory

The 16-bit system directory

The Windows directory

The current directory

The directories that are listed in the PATH environment variable.

One of the directories is the current directory where the image file has been stored.

If the attacker has full access to one of the directories which Microsoft Windows searches for, then the attacker may be able to place a malicious copy of the dll in that directory.

In such a case the application will load and execute the malicious dll without verification. Such action may allow the attacker to gain full control of the affected machine. If so, then he may be able to perform unwanted actions on the machine such as create a new user account, access sensible files on specific directories and more.

Web security and firewall products may become an essential instrument to block and possibly prevent the downloading of such malicious code from a remote network location.

The interesting point is that nowadays attackers try to hide harmful attacks by performing legitimate actions which emphasizes once more the importance of web and IT security in a corporate environment.

About the Author: Mohammed S Ali

3 Comments

Sue Walsh September 27, 2010 at 6:08 am

Good post! Hackers get sneakier every day. There’s a new wave of plug and play spam that may be related to this. It uses Javascript to launch a variety of exploits without the victim having to do much of anything. The messages come with the contact information of a very real, very legit company in the signature line to further trick their victims.

balta graham December 12, 2010 at 6:46 pm

I’ll be attending a online and systems security seminar next week (I can’t imagine how they schedule these things so close to the holidays) and noticed that binary planting vulnerabilities to be part of one of the main talks. I guess they must stand to be a real threat to security to be highlighted like that. But thanks for the brief overview, looks like I’ll be ahead of the curb (by a bit) when I get to the seminar.

abigail January 4, 2011 at 10:15 pm

With the latest release of a wide range of Microsoft Windows based software patches before the holiday season, have there been any addressing the host of binary planting vulnerabilities? I think this a serious security vulnerability which affects some of the more widely used programs on the Microsoft Windows platform. If Microsoft doesn’t address this sooner or later, users might find themselves in a security pickle sooner rather than later.